Linux - RHCE - SSH - Access Control

MarGib July 18, 2026
🌐 🇵🇱 Polski · 🇬🇧 EN
If you provide SSH login access in a Linux environment, it is good practice to control who can access your server and from where. We can specify which users are allowed to log in via SSH and from which subnets or specific hosts such access is permitted. To achieve this, we will use the capabilities provided by TCP Wrappers and user account configuration in the /etc/passwd file. We will also configure access control using the IPTABLES system firewall. The access control methods presented here also apply to other services where the operating principle is the same. Differences may apply to services that do not work with TCP Wrappers, e.g., samba. More about iptables


BLOCKING SSH ACCESS USING TCP WRAPPERS

TCP Wrappers work by replacing the service program with a simple program called tcpd, which forwards the connection to the actual service only after verifying the connecting client. When a connection is attempted, TCP Wrapper can:
  • check if DNS entries corresponding to IP addresses match the hostnames,
  • check if the client has access rights in the access control files: /etc/hosts.allow and /etc/hosts.deny,
  • use the ident protocol to verify the identity of the connecting user,
  • log appropriate information to system logs,
  • execute any command or script,
  • pass control to the actual network daemon.

hosts.allow and hosts.deny

Based on the file names, we can infer their roles: hosts.allow contains a list of computers that have access rights to specific network services, and hosts.deny contains those that do not. The hosts.allow file is checked first, followed by hosts.deny. Since tcpd stops at the first matching entry, a host found in the first file will be granted access, even if it is also listed in the second file.

The format of individual entries in both files is the same:

lista-usług : lista-komputerów [: polecenie]

- service-list is a comma-separated list of service names or ALL,

- host-list is a comma-separated list of computer names, domain names, IP addresses, network addresses, and network groups; you can use ALL, EXCEPT, LOCAL (local names, i.e., those without dots), PARANOID (only in hosts.deny, meaning all computers whose name does not match their address),

- an optional command is executed every time a pattern match occurs. 

Example commands:
  • spawn - executes a command (as a new process)
  • twist - executes a command instead of the requested service
  • banners - displays text from a file to the client
  • setenv - sets an environment variable for the process runtime environment

More details can be found in man hosts_allow and man 5 hosts_access.

Example : 

If we want to allow SSH access only for the host with the address 192.168.0.50, we add the appropriate entries to the /etc/hosts.allow and /etc/hosts.deny files.

To the hosts.allow file, we add: 

sshd:    192.168.0.50

To the hosts.deny file, we add: 

sshd:      ALL

Such entries will block login attempts to the server from machines other than the host with the address 192.168.0.50.

BLOCKING SSH ACCESS USING IPTABLES 

To allow access to the SSH service only for a selected host or subnet, we can use iptables firewall rules. For the SSH service, these rules concern port 22

Who should have access?

To allow SSH access for a selected host, e.g., with IP address 192.168.0.50, we add the entry: 

iptables -I INPUT -m tcp  -p tcp --dport 22 -s 192.168.0.50 -j ACCEPT

The -s 192.168.0.50 switch specifies the source from which traffic will be allowed to the server.

Next, we save the settings and restart the iptables firewall service: 

# service iptables save 

# service iptables restart 

You should also remember to remove the default rule: 

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

This rule allows SSH access from any host. 

Who should not have access?

If we want to eliminate any host or subnet from which one can access the server using SSH, we can add firewall rules in the form of: 

iptables -I INPUT -m tcp  -p tcp --dport 22 -s 192.168.0.14 -j REJECT

next, we save the settings and restart the iptables firewall service:

# service iptables save 

# service iptables restart 

This entry results in rejecting packets coming from the host with the address 192.168.0.14, preventing it from accessing the server. Upon attempting to log in, the user will see:


# ssh 192.168.0.12
ssh: connect to host 192.168.0.12 port 22: Connection refused

Instead of individual IP addresses, we can also provide subnet addresses in the form of:

-s 192.168.0.0/24


More about iptables can be read: here.

BLOCKING SSH ACCESS FOR A LOCAL USER

To block access to the system shell for a selected user, simply modify their entry in the /etc/passwd file


nosshuser:x:500:501::/home/nosshuser:/sbin/nologin
user1:x:501:502::/home/user1:/bin/bash


The snippet from the /etc/passwd file shows two users, where the user "nosshuser" does not have the ability to log in to the server using SSH, as indicated by the entry:

/sbin/nologin



Facebook X E-mail

Comments

Dodaj komentarz

Explore

Labels

learning 15 Security 13 automation 12 news 11 Anthropic 10 Windows 10 browsers 10 Automation 9 Opera 9 Technology 9 AI ethics 8 Configuration 8 RHCE 8 Software 8 facebook 8 web applications 8 Exam 7 LLM 7 OpenAI 7 chrome 7 coaching 7 curiosities 7 technology 7 www 7 Docker 6 Microsoft 6 Mind 6 Programming 6 Red Hat 6 Web browser 6 cybersecurity 6 entertainment 6 new technologies 6 security 6 AI agents 5 ChatGPT 5 Claude AI 5 Cybersecurity 5 God 5 Performance 5 Productivity 5 algorithms 5 books 5 machine learning 5 network 5 networking 5 open source 5 programming 5 AI 2026 4 CentOS 4 Claude 4 IT security 4 LVM 4 Open Source 4 RH442 4 RHS333 4 Ubuntu 4 Vivaldi 4 Windows 10 4 Windows system administration 4 applications 4 bash 4 containers 4 future of technology 4 future of work 4 health 4 language models 4 mindfulness 4 n8n 4 people 4 photography 4 psychology 4 system administration 4 trivia 4 AI safety 3 Administration 3 Android 3 BIG DATA 3 Business 3 FIFA 3 Firefox 3 Google projects 3 Homelab 3 Installation 3 Kubernetes 3 Local AI 3 Personal Development 3 Personal Finance 3 Privacy 3 Programs 3 Python 3 communication 3 computer science 3 extensions 3 faith 3 ftp 3 games 3 good movie 3 help 3 human 3 interesting websites 3 interface 3 macOS 3 media 3 mental health 3 money 3 open-source 3 opensource 3 personal competencies 3 personal development 3 privacy 3 reading 3 religion 3 tools 3 users 3 virtualization 3 web browser 3 websites 3 AGI 2 AI Act 2 AI assistant 2 AI at work 2 AI benchmarks 2 Apache 2 Asus 2 AutoGen 2 Career 2 Centos 2 Claude 3.5 Sonnet 2 Cloud 2 Codex 2 DNS 2 Debian 2 Debugging 2 DevOps 2 Docker Machine 2 Drones 2 Education 2 Error 2 Fable 2 Free Red Hat 2 GDPR 2 GPT-4 2 Guide 2 Hardware 2 Intel 2 Intelligence 2 Japan 2 JavaScript 2 Job Market 2 Kerberos 2 Kernel 2 Linux kernel 2 Machine Learning 2 Medicine 2 Mythos 2 NIS 2 Navy SEALs 2 Netflix 2 Poland 2 Psychology 2 Puppeteer 2 RAID 2 RHEL7 2 RSS 2 Rocky Linux 2 Rust 2 Sakana AI 2 Security Network Services 2 Self-hosting 2 Servers 2 Software Engineering 2 Ubuntu Server 2 Windows administration 2 Windows errors 2 ansible 2 better life 2 brain 2 brain-computer interfaces 2 chat 2 children 2 cloud storage 2 communicator 2 communities 2 computer intelligence 2 computers 2 conferences 2 courses 2 creativity 2 critical thinking 2 curl 2 cyberattacks 2 data 2 death 2 developer tools 2 digital detox 2 digital hygiene 2 documentary 2 earning 2 emotions 2 file storage 2 file system 2 fix 2 free application 2 free courses 2 free knowledge from the internet 2 free training 2 future of AI 2 future skills 2 genius 2 hacker 2 investments 2 iostat 2 iptables 2 kernel 2 labor market 2 local AI 2 logs 2 mind manipulation 2 mind programming 2 mobile 2 mobile apps 2 mobile phones 2 motivation 2 movie 2 multimedia 2 neurotechnology 2 operating systems 2 optimization 2 overstimulation 2 partitions 2 performance 2 personal thoughts 2 philosophy 2 photos 2 plugin 2 podcast 2 prompt 2 regulations 2 sar 2 scientific facts 2 self-development 2 shell 2 social media 2 software 2 technological innovations 2 technology addiction 2 terminal 2 torrent 2 trick 2 virtualbox 2 wealth 2 weather 2 web 2 wisdom 2 youtube 2 (Treści etykiet nie zostały podane w treści wejściowej) 1 120B models 1 2026 photography market 1 21st Century Skills 1 2FA 1 2nm processors 1 3D printing 1 5 GHz 1 6 GHz 1 64 bit 1 7 1 ACT therapy 1 AF_ALG 1 AGAT 1 AI API key theft 1 AI Agents 1 AI Frameworks 1 AI Governance 1 AI History 1 AI Safety 1 AI addiction 1 AI agent attack 1 AI autonomy 1 AI censorship 1 AI chatbots 1 AI collaboration 1 AI cyber threats 1 AI cybersecurity 1 AI future 1 AI governance 1 AI in Linux 1 AI in art 1 AI in education 1 AI in healthcare 1 AI in industry 1 AI in school 1 AI in science 1 AI in sports 1 AI integration 1 AI interaction 1 AI on mobile devices 1 AI optimization 1 AI regulation 1 AI security 1 AI superchips 1 AI threats 1 AI tool attacks 1 AI tools 1 AI workflows 1 AIMP 1 AMD ROCm 1 AMLD6 1 API 1 API key protection 1 AWS 1 Acquisition 1 Agentjacking 1 Alan Watts 1 Alexander Gerst 1 Alfred 1 AlmaLinux 1 Alpine Linux 1 Amazon Kuiper 1 Andrej Karpathy 1 Anonymous 1 Apple 1 Apple 2025 1 Apple Silicon 1 Aria AI 1 Audacity 4 1 AutoJack 1 Azure 1 BCI 1 Backstage 1 Banking 1 Bash 1 Bazel 1 Bible 1 Big Data 1 Bill Warner 1 Biotechnology 1 Black Mirror 1 Blackwell B100 1 Blockchain 1 Bonding 1 Bono 1 Business and Finance 1 C++ 1 CCPA 1 CPU 1 CUA 1 CUDA 1 CVE-2026 1 Career Development 1 Chat GPT 1 Chemtrails 1 ChildOnlineSafety 1 Claude Cowork 1 Claude Fable 1 Claude Sonnet 5 1 Coaching 1 Computer-Using Agent 1 Constitutional AI 1 Copilot 1 Copilot for Finance 1 Couching 1 CrewAI 1 Cryptocurrencies 1 Cyberbullying 1 DFS 1 DMA 1 DORA 1 DSA 1 Dario Amodei 1 Darwin 1 Data Science 1 Deep Learning 1 Deep Reading 1 DeepSeek 1 Deepseek 1 Deluge 1 Devin AI 1 Diagnostics 1 Digitalization 1 Distributions 1 Docker containers 1 Drivers 1 Dystrybucje 1 E2EE 1 E2EE vulnerabilities 1 EA GAMES 1 EA SPORTS 1 Earth AI 1 Economics 1 Email 1 Emigration 1 Enterprise Linux 1 Entrepreneurship 1 Epicureanism 1 European Funds 1 European Union 1 European technology 1 Excel 1 FIFA 16 1 Facebook 1 Fact-checking 1 Fake News 1 Flannel 1 Flynn Effect 1 Football 1 Formoza 1 Foundation 1 Free 1 Free Software 1 Free software 1 Fugu Ultra 1 Future 1 Future of Finance 1 Future of Work 1 GLM-5.2 1 GPG Tools 1 GPT 1 GPT-4.5 1 GPT-4o 1 GPT-Live 1 GPU Cloud 1 GROM 1 GRUB 1 GUI 1 Gemini 1 Gemma 4 1 Generation Z 1 GhostLock 1 GitHub 1 GitOps 1 Golden Gate 1 Google Assistant 1 Google DeepMind 1 Google Gemma 4 12B 1 Google Research 1 Google activity 1 GoogleFamilyLink 1 Goose 1 Got Talent 1 Gregory Kurtzer 1 Guides 1 HTML 1 Hardware Requirements 1 Health Intelligence 1 Hygge 1 IAM 1 IBM 1 IDE 1 IDE security 1 IQ 1 ISIS 1 ISO 1 ISS 1 IT 1 IT automation 1 IT costs 1 IT history 1 Innovation 1 Intelligent email 1 Internet Browser 1 Internet browser 1 InternetEducation 1 Interview 1 Islam 1 Islamic State 1 Jacquard 1 Jboss 1 Jellyfin 1 JetBrains Marketplace 1 Jetson Thor price 1 Joel Pearson 1 Kali Linux 1 Karen Hao 1 Khan Academy 1 Kimi K3 1 Kodi 1 Kylian Mbappé 1 LLM Deployment 1 Labor Market 1 LangChain 1 Legal regulations 1 LibreOffice 1 Linus Torvalds 1 Linux 7.3 1 Linux automation 1 Linux diagnostics 1 Linux for business 1 Linux system tools 1 Linux task management 1 Linux task scheduling 1 Logs 1 Londoners 1 MAS 1 MCP 1 MFA 1 MLX 1 Maps 1 MarGib_Film 1 Marek Jankowski 1 Mars helicopter 1 Material Design 1 Matt Pocock 1 Microsoft 365 1 Military 1 Mindfulness 1 Mistral AI 1 Miłosz Brzeziński 1 Model Context Protocol 1 Monitoring 1 Moonshot AI 1 MrBallen 1 Multi-Agent Systems 1 My take 1 NATO 1 NFS 1 NIS2 1 NTFS 1 NVIDIA 1 NVIDIA Blackwell 1 NVIDIA Jetson Thor 1 National security 1 Neural Networks 1 New 1 Nginx 1 No comment 1 Node.js 1 Non-profit 1 Notion 1 Nvidia 1 Odysseus 1 OneTrust 1 OpenSSL 1 Opera Air 1 Opera Neon 1 Opera Touch 1 Operating Systems 1 P2P 1 PARP 1 PDF conversion 1 PDF editor 1 PDF merging 1 Pac-Man 1 Pekao S.A 1 Peperclips 1 Perceptron 1 Personal development 1 Philosophy 1 Photoshop 1 Playwright 1 Plex 1 Poland 2026 1 Poles 1 Polish universities 1 PostgreSQL 1 PowerShell 1 Preview 1 Project Maven 1 Project TANGO 1 Proton Drive 1 Proxmox 1 PyTorch 1 Qt Creator 1 Quick Actions 1 Quota 1 Quotes 1 RHEL 1 RHEL8 1 RHSCA 1 RPM 1 Raspberry PI 1 Raspberry Pi 1 Raspbian 1 Raycast 1 Red Hat 8 1 Red Hat Enterprise Linux Developer Suite 1 Red Hat Network Satellite 1 RedHat 8 1 Regex 1 Robo-advisors 1 Routing 1 SMEs 1 SUSE 1 SafeInternet 1 SaferInternetDay 1 Safety 1 Sakana Fugu 1 Search 1 Sector 3.0 Festival 1 Security Auditing 1 September 23 2017 1 Server Administration 1 Signal 1 Smart City 1 Snip. 1 Social Media 1 Soli 1 Solo Projects 1 Solopreneurship 1 Something from myself 1 Sound 1 Sovereign AI 1 Sport 1 Spotify 1 Stacher.IO 1 Stacher.IO installation 1 Starlink 1 Steam Deck 1 Stoicism 1 SysAdmin 1 System Administration 1 Tech 1 Tech Weekly 1 Telegram 1 TensorFlow 1 The Shack 1 Time Management 1 Tips 1 Tokenomics 1 Tools 1 Tribler 1 Tutorial 1 U.S. 1 U.S. government 1 U2 1 UI testing 1 USB 1 UV 1 Ubuntu 26.04 1 VentuSky 1 VirtualBox 1 Virtualization 1 WBC 1 WSL 3 1 WWDC 2026 1 WWDC26 1 Warsaw 1 Weave 1 Web Scraping 1 Websites 1 WhatsApp 1 Wi-Fi 6 1 Wi-Fi 6E 1 Wi-Fi channels 1 Windows update 1 Work 1 Workflow 1 World Cup 1 World Cup 2026 1 World Cup AI 1 World Wide Web 1 X-Files 1 X-files 1 YouTube 1 Yuval Noah Harari 1 ZUS 1 ZenFone 1 Zero-Touch OAuth 1 Zorin OS 1 a drop of motivation 1 about this blog 1 academic fraud 1 access control 1 account security 1 achieving goals 1 ad blocking 1 addiction 1 administrator 1 agent systems 1 aids 1 ampere altra 1 analog photography 1 animations 1 application prototyping 1 arm servers 1 arm64 1 assertiveness 1 astronomy 1 at one-time tasks 1 at vs cron 1 atd daemon 1 audio 1 audio editing 1 authenticity in art 1 authorization 1 autofs 1 automateit 1 automation security 1 automation system attack 1 autonomous cars 1 awareness 1 awk 1 aws graviton 1 bank 1 bash on windows 1 bat files 1 batch 1 battery 1 beliefs 1 beta 1 better living 1 better quality 1 big data 1 bin/bash 1 biodiversity 1 blocking 1 blogger 1 body language 1 bookmarks 1 boot 1 bootable usb 1 boxing 1 browser automation 1 business intelligence 1 c# 1 cache 1 calc 1 campaign 1 cards 1 centralized platforms 1 chemistry 1 child psychology 1 children's emotional development 1 city design 1 clearance 1 cli tools 1 climate change 1 clothing industry 1 cloud 1 cmd 1 code editor 1 cognitive abilities 1 cognitive psychology 1 coldplay 1 command history 1 command line 1 command prompt 1 commando training 1 comments 1 compliance 1 compliance automation 1 compliance tools 1 computer interaction 1 computer performance 1 concentration 1 configuration management 1 conntrack 1 console 1 conspiracy 1 conspiracy theories 1 controversial 1 converter 1 corporate world 1 cost optimization 1 courage 1 courses for free 1 cron 1 cryptography 1 cynics 1 dark mode 1 data security 1 database 1 datasette 1 date and time 1 deep brain stimulation 1 deep learning 1 democracy 1 desertification 1 design patterns 1 design systems 1 developers 1 digital addiction 1 digital clothing 1 digital competencies 1 digital education 1 digital ethics 1 digital habits 1 digital manipulation 1 digitalization 1 disqus 1 document 1 document conversion 1 document signing 1 dreams 1 drop of motivation 1 drought 1 dubai 1 dying 1 e-book 1 eBPF 1 ecology 1 economy 1 ecosystem restoration 1 edge computing 1 elections 1 encryption 1 end of the world 1 end of world 1 end-to-end encryption 1 energy 1 energy efficiency 1 environment and health 1 ethical AI 1 evolution 1 excel 1 exploitation 1 extreme 1 fdisk 1 file sharing 1 file size 1 film zone 1 firewall 1 flash drive 1 flat earth 1 flying 1 food 1 football 1 for sale 1 format change 1 free 1 free software 1 friend location 1 future of architecture 1 future of education 1 future of energy 1 future of humanity 1 future of medicine 1 future of the brain 1 future of the internet 1 future of transport 1 game 1 geoengineering 1 global connectivity 1 google chat 1 graphics 1 graphics editors 1 growing up 1 hacking 1 happiness 1 hard-link 1 hashing 1 hedonic adaptation 1 helion 1 history 1 hivemind 1 hobby 1 home hosting 1 homelab 1 hostname 1 hostnamectl 1 hosts.allow 1 hosts.deny 1 how many people live on earth 1 httpd 1 humanity 1 humor 1 hybrid cloud 1 iOS 1 iPhone 18 Pro 1 iPhone launch 1 iSCSI 1 iftop 1 image generation 1 immortality 1 influencer criticism 1 information manipulation 1 infrastructure 1 infrastructure scalability 1 innovation 1 installation 1 integrations 1 intelligence 1 internet applications 1 investigative journalism 1 investing 1 jailbreaking 1 javascript 1 job market 1 kernel security 1 keyboard shortcuts 1 kuba wojewódzki 1 light 1 limits 1 linux kernel 1 livepatch 1 login 1 loop-audit 1 loop-cost 1 loop-init 1 macOS Sequoia 1 machine cloning 1 magic 1 make life harder 1 making money 1 malicious JetBrains plugins 1 malware in IDE 1 markdown 1 markitdown 1 material design 1 media streaming 1 medicine 1 meditation 1 memory 1 message security 1 messenger 1 meteorology 1 microsoft 1 microtargeting 1 military ethics 1 mobile applications 1 mobile photography 1 model interpretability 1 modern technologies 1 monitoring 1 monorepo 1 mounting 1 mounting image 1 mp3 player 1 mpstat 1 multimedia tools 1 multimodality 1 music 1 music player 1 mysteries 1 n8n security 1 national defense 1 nature conservation 1 net use 1 nethogs 1 network cards 1 network monitoring 1 network resources 1 network security 1 neurobiology 1 neuroenhancement 1 neuroplasticity 1 neuropsychology 1 new life 1 new player 1 new things 1 nftables 1 office 1 onboarding 1 one-time cron 1 onestep4red 1 online 1 online courses 1 online privacy 1 operating system 1 outage 1 package manager 1 paper clips 1 paradox of the fulfilled dream 1 parenting 1 parents 1 parted 1 password 1 password change 1 password policy 1 password recovery 1 password security 1 passwords 1 pdf 1 penetration testing 1 perseverance 1 persistent memory 1 personal data 1 phishing 1 php 1 plagiarism detection 1 plague 1 player 1 poison 1 police 1 predictions 1 privilege escalation 1 processes 1 productivity 1 productivity tools 1 promissory notes 1 protection 1 ps 1 python 1 questions 1 radar 1 raspberry pi 5 1 real-time AI 1 red 1 relax 1 relaxation 1 remote work 1 renewable energy sources 1 reportage 1 rest 1 risk 1 robotaxi 1 root 1 router 1 routing 1 runlevel 1 satellite data 1 satellite internet 1 science 1 scientific research 1 scraping 1 screen 1 screenshot 1 self-hosting 1 series 1 server 1 settings 1 shadow AI 1 show 1 skills 1 skydive 1 sleep 1 small big company 1 smart clothing 1 smartphone 1 smartphones 1 social engineering 1 society 1 software engineering 1 space 1 space technology 1 special forces 1 sport 1 sports 1 spreadsheet 1 sqlite 1 stale data 1 stalking 1 statistics 1 streaming 1 sub-millimeter sensor 1 success 1 symbolic link 1 syngrapha 1 sysctl 1 syslog 1 system acceleration 1 system diagnostics 1 system kernel 1 systemd 1 tablet 1 talk show 1 tcpdump 1 technical documentation 1 technology 2026 1 technology ethics 1 technology future 1 technology regulations 1 television 1 terrorism 1 testing 1 the world in numbers 1 theology and science 1 threats 1 time management 1 time travel 1 timelapse 1 tips 1 traditional photography 1 tutorials 1 two-factor authentication 1 ubuntu 1 udev 1 upbringing 1 updates 1 user interface 1 video conversion 1 violence in the military 1 viral 1 walking 1 walking meetings 1 water retention 1 weather forecasting 1 webmaster 1 wellbeing 1 wind energy 1 wind turbine optimization 1 windows automation 1 wireless network 1 word processing 1 work 1 work automation 1 world 1 world cup 2026 1 world wide web 1 you are a miracle 1 yum 1 zeitgeist 1

Blog archive

Table of contents